NL +31 (0)20 4232420 / SP +34 937 379 542

This blog is part of a blog series on the 12 requirements of PCI DSS. We discuss the common challenges and explain what kind of evidence is needed to comply with the requirement. Here we discuss:


Requirement 9 of PCI DSS:
Restricting physical access to cardholder data


This requirement focuses on the protection of physical access to systems with cardholder data, as well as the elimination of removable magnetic devices or paper copies with cardholder data in a secure mode. Without physical access controls, unauthorized persons could gain access to the installation to steal, disable, interrupt or destroy critical systems and the cardholder data.

The main challenges and steps to consider:

  • Restrict physical access only to authenticated users
    Implement a solution for physical access control such as credential readers or other devices, including authorized credentials and the lock and key.
  • Distinguish between authorized visitors and employees
    Implement an access process that allows distinguishing between authorized visitors and employees, to prevent unauthorized visitors from accessing areas that contain cardholder data.
  • Physical monitoring of sensitive areas
    Use video cameras for continuous monitoring of access to sensitive areas where devices with cardholder data are housed.
  • Protect physical access to all removable or portable media containing the cardholder data
    Physically protect against unauthorized access to all removable or portable media containing the cardholder data.
  • Inspect all devices periodically
    Periodically inspect all devices to detect possible alterations or replacements and minimize the potential impact of the use of fraudulent devices.
  • Make sure all discarded devices are emptied and/or information is deleted
    Securely delete the information contained in the mobile or removable physical devices before being discarded to prevent malicious people from recovering their information.
  • Set up a procedure for the distribution of media with cardholder data
    Keep strict control through a procedure and inventories on the internal or external distribution of any type of media with cardholder data.

Security is not absolute, different layers of security must always be implemented. For devices, physical control should be incorporated as an external layer of security into logical security.


Need help with PCI DSS implementation? Our QSAs can help out.

Read more about:
PCI DSS requirement 1: Protecting Cardholder data environment
PCI DSS requirement 2: Change your defaults
PCI DSS requirement 3: Don’t store cardholder data  
PCI DSS requirement 4: Encryption  
PCI DSS requirement 5: Update and Scan 
PCI DSS requirement 6: Develop and maintain secure systems and applications
PCI DSS requirement 7: Restrict access to CHD 
PCI DSS requirement 8: Identify, Authenticate, and Authorize  
PCI DSS requirement 9: Restrict physical access to Cardholder data 
PCI DSS requirement 10: Track and monitor all access to network resources and cardholder data